Threat Insight<p>Threat researchers at Proofpoint are tracking two ongoing, highly targeted campaigns combining OAuth redirection mechanisms with brand impersonation techniques, malware proliferation, and <a href="https://infosec.exchange/tags/Microsoft365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft365</span></a> themed <a href="https://infosec.exchange/tags/credentialphishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>credentialphishing</span></a> for <a href="https://infosec.exchange/tags/accounttakeover" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>accounttakeover</span></a>. 🧵⤵️</p><p>Proofpoint researchers recently uncovered three previously undisclosed malicious OAuth apps, disguised as ‘Adobe Drive,’ ‘Adobe Acrobat,’ and ‘Docusign’, which are used to redirect users to webpages hosting phishing and malware delivery threats.</p><p>To avoid triggering detection solutions, the observed apps were assigned limited scopes (such as profile, email, OpenID). However, Proofpoint’s threat detection engine classified them as malicious, thus protecting Proofpoint Account Takeover Protection (<a href="https://brnw.ch/21wRhAw" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">brnw.ch/21wRhAw</span><span class="invisible"></span></a>) customers.</p><p>Observed IOCs:</p><p>App IDs<br>• 14b2864e-3cff-4d33-b5cd-7f14ca272ea4 (‘Adobe Drive’)<br>• 85da47ec-2977-40ab-af03-f3d45aaab169 (‘Adobe Drive X’)<br>• 355d1228-1537-4e90-80a6-dae111bb4d70 (‘Adobe Acrobat’)<br>• 6628b5b8-55af-42b4-9797-5cd5c148313c (‘Docusign’)</p><p>Reply URLs<br>• hxxps://li.tistateronic[.]ru/OqgX<br>• hxxps://fancy-bush-61e9sydgsyi29s.jennifer-may.workers[.]dev<br>• hxxps://fly.storage.tigris[.]dev/log/Statement.HTM<br>• hxxps://log.fly.storage.tigris[.]dev/Statement.HTM<br>• hxxps://embeds.beehiiv[.]com/2066d619-1342-40ba-893d-6d0e6eee70d5</p><p>Redirection URLs<br>• hxxps://be645c1d.bentlyerool.pages[.]dev<br>• hxxps://line.infoapollocapital[.]buzz</p><p><a href="https://infosec.exchange/tags/AccountTakeover" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AccountTakeover</span></a> <a href="https://infosec.exchange/tags/ATO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ATO</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Apphish" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Apphish</span></a> <a href="https://infosec.exchange/tags/CloudMalware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudMalware</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
277active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#credentialphishing
0 posts · 0 participants · 0 posts today
IT News<p>LastPass users targeted in phishing attacks good enough to trick even the savvy - Enlarge (credit: Getty Images) </p><p>Password-manager LastPass users... - <a href="https://arstechnica.com/?p=2018339" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arstechnica.com/?p=2018339</span><span class="invisible"></span></a> <a href="https://schleuss.online/tags/multifactorauthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>multifactorauthentication</span></a> <a href="https://schleuss.online/tags/credentialphishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>credentialphishing</span></a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://schleuss.online/tags/lastpass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lastpass</span></a> <a href="https://schleuss.online/tags/biz" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>biz</span></a>&it</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload